Data Processing Agreement
If you or your practice are based in the United States, then the US version of our Terms of Service and the US version of our End User Terms apply to you.
If you or your practice are not in the United States, then the outside USA version of our Terms of Service and outside USA version of our End User Terms apply to you.
1.1 This Data Processing Agreement is made between Physitrack PLC, a company incorporated in England and Wales, with company number 08106661, registered address 125 London Wall, London, EC2Y 5AS (“Physitrack”), and the customer (“You”) identified in the Main Agreement.
1.2 Definitions
“Data Protection Legislation” shall mean “all applicable data protection and privacy legislation in force from time to time including without limitation the UK GDPR (the retained EU law version of the General Data Protection Regulation ((EU) 2016/679)); the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).
“EU P-to-C Transfer Clauses” means the EU SCCs sections I, II, III and IV (as applicable) to the extent they reference Module Four (Processor- to - Controller).
“Restricted Transfer” means a transfer of personal data under this DPA from the European Economic Area, Switzerland, or United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of applicable laws of the foregoing territories, to the extent such transfers are subject to such applicable laws.
“Standard Contractual Clauses” means (i) where the EU GDPR applies, the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 available at:
https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en
(“EU SCCs”) and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”).
1.3 Both You and Physitrack will comply with the applicable requirements of Data Protection Legislation generally.
1.4 You shall retain control of the Customer Personal Data and undertake to Physitrack that You have the legal right to disclose Customer Personal Data to Physitrack and that You have provided the Data Subjects with all appropriate notices and obtained any necessary authorisations. You shall ensure that all individuals who provide written instructions are authorised to do so.
1.5 Without prejudice to the generality of paragraph 1.3 above, Physitrack shall, in relation to Customer Data:
1.5.1. Process Your Personal Data only on Your written instructions. The scope, nature purpose and duration of the processing and Your Personal Data categories and Data Subject types are described in the below table “Data Processing Details”;
1.5.2. keep Your Personal Data confidential and ensure its personnel are subject to a duty of confidentiality;
1.5.3. comply with Your reasonable instructions with respect to processing Your Personal Data;
1.5.4. Not transfer Your Personal Data outside of the UK or EEA unless, in accordance with the Data Protection Legislation. Physitrack ensures that;
- the transfer is to a country approved as providing an adequate level of protection for Your Personal Data; or
- there are appropriate safeguards in place for the transfer of Your Personal Data; or
- one of the derogations for specific situations applies to the transfer.
1.5.5. Physitrack ensure to assist You at Your own cost in responding to any data subject access request and to ensure compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, privacy impact assessments and consultations with supervisory authorities or regulators;
1.5.6. Physitrack ensures to notify You without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach or communication which relates to Your or Physitrack's compliance with the Data Protection Legislation; and
1.5.7. maintain complete and accurate records and information to demonstrate compliance with this Clause and allow for audits by You or Your designated auditor; and
1.5.8. inform You if, in its opinion, an instruction infringes Data Protection Legislation.
1.6 Physitrack shall ensure that they have in place appropriate technical or organisational measures, to protect against unauthorised or unlawful processing of Your Personal Data and against accidental loss or destruction of, or damage to, Your Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.
1.7 Insofar as the provision of the services lead to a Restricted Transfer of Your Personal
Data, You and Physitrack hereby enter into the EU P-to-C Transfer Clauses and the UK Addendum (where applicable) on the basis that the exporter is Physitrack and the importer is You. and on the basis that:
(a) The EU P-to-C Transfer Clauses will be completed as follows:
- in clause 7, the optional docking clause will apply;
- in Clause 11, the additional redress mechanism will not apply;
- in Clause 14, the EEA processor will be combining personal data received from the third country-controller with personal data collected by the processor in the EEA;
- Clauses 17 and 18 shall be governed by the jurisdiction of Ireland and disputes shall be resolved before the courts of the jurisdiction of Ireland;
- for the purposes of Annex I to the EU P-to-C Transfer Clauses: (a) the categories of data transferred are Company Data (as defined above); and (b) the categories of data subject, subject matter, nature and purpose and duration and frequency of the transfer and retention are described in the below table “Data Processing Details”;
- For the purpose of Annex II the security measures are specified at https://www.physitrack.com/information-security which are hereby incorporated by reference.
(b) The UK Addendum will apply as follows:
- The EU P-to-C Transfer Clauses (as amended as specified by Part 2 of the UK Addendum) are completed as set out above in Section 1.6 (a); and
- Tables 1 to 3 of the UK Addendum shall be deemed completed with the information set out above in Section 1.6 (a) (as applicable) and table 4 in Part 1 shall be deemed completed by selecting "data exporter".
1.8 Physitrack shall retain personal data in accordance with the terms of its Retention Policy which can be accessed via https://www.physitrack.com/data-retention-policy.
1.9 You undertake to inform Physitrack of any changes to the email address You have provided during the provision of Services.
1.10 You acknowledge and consent generally to the appointment by Physitrack of third parties as sub-processors of Your Personal Data being processed under these Terms of Service. A current list of sub-processors can be found below in the table “Third Party Vendors (Subprocessors) that process data on behalf of Physitrack”.
1.11 Physitrack confirms that a) it shall impose on all sub-processors the same data protection obligations as set out in this clause and that b) it shall remain liable for the actions of its subprocessors.
1.12 Physitrack shall give You notice of the appointment of any new sub-processors and provide You with full details of the processing to be undertaken by the sub-processor, thereby giving You the opportunity to object to such appointment. If Physitrack so notifies You of any changes to sub-processors and You object to such changes, You will be entitled to terminate this Service (without liability for either party, and such termination will be deemed to be a nofault termination) if You have reasonable grounds for objecting to such changes by reason of the changes causing or being likely to cause You to be in breach of the Data Protection Legislation.
1.13 The total aggregate liability of whatever nature, whether in contract, tort or otherwise, of Physitrack for any losses whatsoever and howsoever caused arising from or in any way connected with this Data Processing Agreement shall be subject to the “Limitation of Liability” clause set out in the Terms of Service. Notwithstanding the foregoing, nothing in this clause will seek to limit either party’s liability which can not be legally limited, including (but not limited to) liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation.
1.14 You agree to indemnify, keep indemnified and defend at its own expense Physitrack against all costs, claims, damages or expenses incurred by Physitrack or for which Physitrack may become liable due to any failure by You or Your employees, subcontractors or agents to comply with any of its obligations under these Terms of Service and/or the Data Protection Legislation, in particular any failure by You to comply with the provisions of Clause 1.4 above.
Data Processing Details